-
Notifications
You must be signed in to change notification settings - Fork 38
Basic Usage
The FuzzingTool result class contains the base result information, and also can handle custom information from the plugins. Chech the attributes from Result
Every scanner does a match analysis on FuzzingTool result before any other specific scan.
You can match results based on response: status code -Mc, length -Ms and elapsed time -Mt.
Match by status code: Set a single, a list, or a range of status code to match.
-Mc 500 # Set only status code 500
-Mc 200,301,302 # Set a list of status codes; including 200, 301 and 302
-Mc 500-600 # Set a range of status codes; 500 <= status <= 600
-Mc 200,301,302,500-600 # Combination of the previous examples
Match by length: Set a length to match (in bytes)
-Ms 1000 # Set the response size to match greater than 1000 bytes
Match by elapsed time: Set a time (RTT) to match (in seconds)
-Mt 30 # Set the request+response elapsed time to match greater than 30 seconds
Combine match options to perform a precise analysis.
$ fuzzingtool -u https://mydomainexample.com/post.php?id= -w ~/wordlists/sqli.txt -Mc 500 -Mt 20 -t 50
You can also set a logic operator with the item that'll be compared. Here's some examples:
# Match length examples
-Ms '>=10000' # Set the response size to match greater or equal than 10000 bytes
-Ms '!=10000' # Set the response size to match different than 10000 bytes
-Ms '==10000' # Set the response size to match equal than 10000 bytes
# Match time examples
-Mt '>=30' # Set the request+response elapsed time to match greater or equal than 30 seconds
-Mt '<30' # Set the request+response elapsed time to match below than 30 seconds
With setting a status code to blacklist, you avoid the FuzzingTool to keep doing fuzzing tests when a unwanted status is detected.
--blacklist-status STATUS:ACTION
# Available actions: skip | wait
--blacklist-status STATUS:skip # Skips the current target
--blacklist-status STATUS:wait=SECONDS # Pause the app for some seconds
For example, if you don't want to stress the server or cause internal errors, just skip the current target when detecting code 500:
--blacklist-status 500:skip
Another example, if the server rejects your requests (status 429) you can pause the app for some seconds:
--blacklist-status 429:wait=300 # Will wait for 5 minutes before resume the app
For multiple status codes, just separate them with a comma:
--blacklist-status 429,500:skip
The DataScanner is the default scanner for DataFuzzing type of fuzzing. This scanner add the payload length attribute for the result:
result.scanners_res['PayloadLength'] = payloadLengthThe PathScanner is the default scanner for URL PathFuzzing type of fuzzing. This scanner add the redirected attribute for the result:
result.scanners_res['PathScanner'].data['redirected'] = redirectedThe SubdomainScanner is the default scanner for URL SubdomainFuzzing type of fuzzing. This scanner add the target ip attribute for the result:
result.history.ip = target_ipThe file wordlist build the wordlist based on a file.
-w ~/example/directory/wordlist.txt
Example:
$ fuzzingtool -u https://FUZZ.domain.com/ -w ~/wordlists/subdomains.txt
The list wordlist build the wordlist based on a payload list gived in the terminal.
-w [payload1,payload2,...]
Example:
$ fuzzingtool -u https://FUZZ.domain.com/ -w [cpanel,admin,wp-admin,mail]
You can set a range (integer or alphabet) inside or outside of a payload. Only accepts one range per payload. For example:
-w [0-10] # Produces [0, 1, 2, 3, ..., 10]
-w [a-z] # Produces [a, b, c, d, ..., z]
-w [PAY0-10LOAD] # Produces [PAY0LOAD, PAY1LOAD, PAY2LOAD, ..., PAY10LOAD]
-w ['PAY\-LOAD'] # Produces [PAY-LOAD]
-w [init,0-10,end1,end2] # Produces [init, 0, 1, 2, 3, ..., 10, end1, end2]